Trivy isn't able to detect fingerprint of golang binary in scratch container and aborts table scan

[pputman-clabs]

Description

Version: 0.58.0
I have a go program built in a container, then copied to a scratch container, and trivy isn't detecting it as a golang program.

I have other apps with this same docker setup (image golang:1.23-bookworm) that trivy detects their "OS" as the golang binary and scans it.
I'm not sure what information I'd need to provide for this, but happy to add anything upon request.

The container and application both build properly

Desired Behavior

Expect trivy to be able to detect the image as being a stripped down golang binary for this app

Actual Behavior

Trivy can't detect the "OS" so it doesn't produce a scan report

Reproduction Steps

1. build docker image here https://github.com/celo-org/akeyless/blob/main/akeyless-action/Dockerfile
2. scan it with: trivy image imagename
3. it will not  detect it or scan it

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2024-12-20T18:53:57-06:00	DEBUG	No plugins loaded
2024-12-20T18:53:57-06:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-12-20T18:53:57-06:00	DEBUG	Cache dir	dir="/Users/patrick/Library/Caches/trivy"
2024-12-20T18:53:57-06:00	DEBUG	Cache dir	dir="/Users/patrick/Library/Caches/trivy"
2024-12-20T18:53:57-06:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-12-20T18:53:57-06:00	DEBUG	Ignore statuses	statuses=[]
2024-12-20T18:53:57-06:00	DEBUG	DB update was skipped because the local DB is the latest
2024-12-20T18:53:57-06:00	DEBUG	DB info	schema=2 updated_at=2024-12-20T18:16:03.521502838Z next_update=2024-12-21T18:16:03.521502497Z downloaded_at=2024-12-21T00:33:00.4045Z
2024-12-20T18:53:57-06:00	DEBUG	[pkg] Package types	types=[os library]
2024-12-20T18:53:57-06:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2024-12-20T18:53:57-06:00	INFO	[vuln] Vulnerability scanning is enabled
2024-12-20T18:53:57-06:00	INFO	[secret] Secret scanning is enabled
2024-12-20T18:53:57-06:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-20T18:53:57-06:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-20T18:53:57-06:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-12-20T18:53:57-06:00	DEBUG	Initializing scan cache...	type="fs"
2024-12-20T18:53:57-06:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-12-20T18:53:57-06:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-12-20T18:53:57-06:00	DEBUG	[image] Detected image ID	image_id="sha256:0cc7c2138d8dde21a8162a7a39fa66bde09134651e1dd0c5cce3ec84a36e39e8"
2024-12-20T18:53:57-06:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:e8fe59378a27361bbb65b8cada765b8ced790c0cb32e1e40e6d5b347741ad5ee sha256:7046b5a4361ee9255525a5e27cbe04268c85b6602ddc26403ca3f4a92255d91b]
2024-12-20T18:53:57-06:00	DEBUG	[image] Detected base layers	diff_ids=[]
2024-12-20T18:53:57-06:00	DEBUG	OS is not detected.
2024-12-20T18:53:57-06:00	DEBUG	Detected OS: unknown
2024-12-20T18:53:57-06:00	INFO	Number of language-specific files	num=1
2024-12-20T18:53:57-06:00	INFO	[gobinary] Detecting vulnerabilities...
2024-12-20T18:53:57-06:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="bin/akeyless-actions"
2024-12-20T18:53:57-06:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/celo-org/akeyless-action"
2024-12-20T18:53:57-06:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2024-12-20T18:53:57-06:00	DEBUG	[vex] VEX filtering is disabled

Operating System

Linux (github actions platform)

Version

Version: 0.58.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-12-20 18:16:03.521502838 +0000 UTC
  NextUpdate: 2024-12-21 18:16:03.521502497 +0000 UTC
  DownloadedAt: 2024-12-21 00:33:00.4045 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[knqyf263]

Looks like https://github.com/celo-org/akeyless/blob/main/akeyless-action/Dockerfile is private

[pputman-clabs]

Sorry, the image is at
trivy image us-west1-docker.pkg.dev/devopsre/akeyless-public/akeyless-action:latest --debug
and is public.

[pputman12]

I built the image locally and ran this on it, and its not printing the summary, because it doesn't detect the OS. it does see its a go binary I guess?
`rivy i a36e84e4283c --debug
2024-12-23T13:30:00-06:00 DEBUG No plugins loaded
2024-12-23T13:30:00-06:00 DEBUG Default config file "file_path=trivy.yaml" not found, using built in values
2024-12-23T13:30:00-06:00 DEBUG Cache dir dir="/Users/patrick/Library/Caches/trivy"
2024-12-23T13:30:00-06:00 DEBUG Cache dir dir="/Users/patrick/Library/Caches/trivy"
2024-12-23T13:30:00-06:00 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-12-23T13:30:00-06:00 DEBUG Ignore statuses statuses=[]
2024-12-23T13:30:00-06:00 DEBUG DB update was skipped because the local DB is the latest
2024-12-23T13:30:00-06:00 DEBUG DB info schema=2 updated_at=2024-12-23T12:16:20.726416721Z next_update=2024-12-24T12:16:20.726415519Z downloaded_at=2024-12-23T14:12:46.33617Z
2024-12-23T13:30:00-06:00 DEBUG [pkg] Package types types=[os library]
2024-12-23T13:30:00-06:00 DEBUG [pkg] Package relationships relationships=[unknown root workspace direct indirect]
2024-12-23T13:30:00-06:00 INFO [vuln] Vulnerability scanning is enabled
2024-12-23T13:30:00-06:00 INFO [secret] Secret scanning is enabled
2024-12-23T13:30:00-06:00 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-23T13:30:00-06:00 INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-23T13:30:00-06:00 DEBUG Enabling misconfiguration scanners scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-12-23T13:30:00-06:00 DEBUG Initializing scan cache... type="fs"
2024-12-23T13:30:00-06:00 DEBUG [secret] No secret config detected config_path="trivy-secret.yaml"
2024-12-23T13:30:00-06:00 DEBUG [secret] No secret config detected config_path="trivy-secret.yaml"
2024-12-23T13:30:00-06:00 DEBUG [image] Detected image ID image_id="sha256:a36e84e4283cb494e705a7bd0d9f4a9d2d63587ecccc32927325947aaaf00b26"
2024-12-23T13:30:00-06:00 DEBUG [image] Detected diff ID diff_ids=[sha256:a261815cbd46e4b5f26a6b8d6c55a1f4f061345ca6a520d261109f5950cbeec7 sha256:68fcf80b394a3ff468c0acd8481d902cd5ef894d831229b49396e36346db2ac9]
2024-12-23T13:30:00-06:00 DEBUG [image] Detected base layers diff_ids=[]
2024-12-23T13:30:00-06:00 DEBUG OS is not detected.
2024-12-23T13:30:00-06:00 DEBUG Detected OS: unknown
2024-12-23T13:30:00-06:00 INFO Number of language-specific files num=1
2024-12-23T13:30:00-06:00 INFO [gobinary] Detecting vulnerabilities...
2024-12-23T13:30:00-06:00 DEBUG [gobinary] Scanning packages for vulnerabilities file_path="bin/akeyless-actions"
2024-12-23T13:30:00-06:00 DEBUG [gobinary] Skipping vulnerability scan as no version is detected for the package name="github.com/celo-org/akeyless-action"
2024-12-23T13:30:00-06:00 DEBUG Specified ignore file does not exist file=".trivyignore"
2024-12-23T13:30:00-06:00 DEBUG [vex] VEX filtering is disabled

`

[knqyf263]

It's designed now so the table format wouldn't be noisy.

[pputman-clabs]

I don't understand, is it because there's no vulnerabilities detected, or because it can't detect the OS? Is there any way to print out a text/table summary saying nothing found if there's nothing found?

[knqyf263]

If no vulnerability is detected, the table format doesn't show anything. If OS is not detected, it shows a warning message.

[knqyf263]

This idea might help your understanding.

[pputman12]

Hi, thanks for this, I guess I was a little confused about what the problem is and that this was intended. So just to confirm, this idea you linked hasn't been implemented yet, and there's no way to confirm with table whether or not a scan with 0 vulnerabilities was performed correctly, we just have to assume if we didn't see any results or errors everything is fine? (its an automated ci/cd scanning).
Table will make it easier for a report but I could look at just parsing the json output into my own style report if thats the case.

[knqyf263]

--debug shows which file is being scanned.

2024-12-25T10:23:46+04:00       DEBUG   [gomod] Scanning packages for vulnerabilities   file_path="go.mod"

[pputman12]

The github action here https://github.com/aquasecurity/trivy-action does't seem to have an input to enable debug, so there's not a way to detect this through github actions.
So there's no real easy way to confirm whether or not anything was scanned at all, or if it was just scanned with no issues